mcp-front

The project demonstrates a very high level of security consciousness. It mandates OAuth 2.0 with PKCE, enforces Google Workspace domain validation, encrypts session cookies using AES-256-GCM, and applies per-service audience claims (RFC 8707) to prevent token reuse. Secrets are strictly managed via environment variables and validated for sufficient entropy (e.g., JWT_SECRET must be 32+ bytes). Network traffic forwarding actively strips sensitive hop-by-hop and internal authentication headers. Inline command execution is carefully controlled to prevent injection. Extensive integration tests cover authentication bypass, malformed inputs, and secure session handling. The project explicitly defines its security boundary (proxy for authentication, backend for authorization/input validation) and warns that it's alpha software, but the implemented security features are robust.